← Frameworks / Financial Regulation

ECB Cyber Resilience Oversight Expectations for Financial Market Infrastructures

European Central Bank expectations for cyber resilience of euro area financial market infrastructures. 21 expectations across 3 pillars: governance (board oversight, risk appetite, cyber strategy), identification and protection (threat-led testing, situational awareness, learning and evolving), and detection and response (incident management, recovery, crisis communication). Builds on CPMI-IOSCO cyber resilience guidance with ECB-specific supervisory expectations.

Clauses: 21

Avg Coverage: 76.4%

Publisher: European Central Bank (ECB) Version: 2018

ECB CROE → SP 800-53 SP 800-53 → ECB CROE Coverage Analysis

Clause	Title	SP 800-53 Controls
CROE.2.1.1	Governance — Cyber resilience strategy and framework	PL-01 PL-02 PL-09 PM-01 PM-02 PM-03 PM-09 PM-13 PM-28 PM-29
CROE.2.1.2	Governance — Role of the board and senior management	AT-01 AT-02 AT-03 AT-06 PL-04 PM-02 PM-13 PM-14 PM-29 PS-01 PS-02 PS-03 PS-06 PS-09
CROE.2.2.1	Identification — Risk assessment framework	CA-02 CA-06 CA-07 PM-04 PM-05 PM-09 PM-28 RA-01 RA-02 RA-03 RA-05 RA-07 RA-09
CROE.2.2.2	Identification — Information asset management and classification	CM-08 CM-12 CM-13 MP-01 MP-02 PM-05 PM-11 RA-02 RA-09 SA-09 SC-28
CROE.2.2.3	Identification — External dependencies and interconnections	AC-20 CA-03 PM-08 PM-11 PM-15 SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06
CROE.2.3.1	Protection — Access management and identity	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-09 AC-10 AC-11 AC-12 AC-24 IA-01 IA-02 IA-04 IA-05 IA-08 IA-12
CROE.2.3.2	Protection — Personnel security and awareness	AT-01 AT-02 AT-03 AT-04 AT-06 PL-04 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08
CROE.2.3.3	Protection — Data security and cryptographic protection	MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 PT-01 PT-02 PT-03 SC-08 SC-12 SC-13 SC-28 SI-07 SI-12
CROE.2.3.4	Protection — System security and configuration management	CM-01 CM-02 CM-03 CM-04 CM-05 CM-06 CM-07 CM-09 CM-10 CM-11 CM-14 MA-01 MA-02 MA-04 MA-05 SA-08 SA-11 SA-15 SA-22 SI-02 SI-03 SI-16
CROE.2.3.5	Protection — Network and infrastructure security	AC-04 AC-17 AC-18 AC-19 CA-03 SC-02 SC-03 SC-04 SC-05 SC-07 SC-08 SC-20 SC-21 SC-22 SC-39 SC-44 SI-04
CROE.2.3.6	Protection — Physical and environmental security	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-08 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-18
CROE.2.4	Detection — Monitoring and detection capabilities	AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-09 AU-12 AU-13 AU-14 CA-07 IR-04 PM-14 PM-16 RA-05 RA-10 SC-05 SC-07 SC-26 SI-03 SI-04 SI-05 SI-07
CROE.2.5.1	Response and recovery — Incident management and response	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09 PM-12 SI-05
CROE.2.5.2	Response and recovery — Recovery planning and 2-hour RTO	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-12 CP-13 PE-11 PE-17 PM-08 SC-24 SC-36
CROE.2.5.3	Response and recovery — Crisis communication and coordination	CP-02 CP-12 IR-06 IR-07 PM-08 PM-15 SI-05
CROE.2.6.1	Testing — Comprehensive cyber resilience testing programme	CA-02 CA-04 CA-08 CP-04 IR-03 PM-14 RA-05 RA-06 SA-11 SA-15 SI-06
CROE.2.6.2	Testing — TIBER-EU threat intelligence-led red teaming	CA-08 PM-16 RA-05 RA-10 SC-26
CROE.2.7.1	Situational awareness — Threat intelligence and monitoring	AU-13 PM-15 PM-16 RA-03 RA-05 RA-10 SI-05 SR-06 SR-08
CROE.2.7.2	Situational awareness — Sector-wide information sharing	IR-06 PM-12 PM-15 PM-16 SI-05
CROE.2.8.1	Learning and evolving — Lessons learned and continuous improvement	AT-06 CA-02 CA-05 CA-07 IR-04 IR-05 PM-04 PM-14 PM-31 RA-07 SI-02
CROE.2.8.2	Learning and evolving — Adapting to emerging threats and regulatory evolution	AT-02 AT-03 PM-15 PM-16 PM-31 RA-03 RA-07 SA-22 SI-02 SI-05